The Art of Creating Good Passwords

No matter who you are, passwords have become a critical component of one's personal life in the modern era. They are the first line of defense against unauthorized access to your personal information and technology. Your computer, your phone, your bank; they all make use of passwords in an effort to protect you from hackers and malicious software. Unfortunately, it's not simply the existence of a password that matters, because ever evolving hardware and hackers constantly discovering new and more advanced techniques to get retrieve user passwords are changing the playing field. Now, you not only need a password, but you need one that will try to withstand the deluge of attacks that could be brought against it in a compromise.

Microsoft Research released a study in 2007 which suggests that the average web user has an average of 25 accounts to maintain. Yet, the same study suggests only approximately 6 unique passwords are used among the different accounts. Unfortunately, there is quite an excess of security breaches one can choose from to see how dangerous password re-use can be. AOL, Sony, Heartland, Zappos, Ebay, and a ton of others have had compromises in recent years, exposing millions of users' passwords to hackers. But it doesn't simply stop there; each time a breach is recognized and this password data is leaked, the same data is tried against other web sites across the web in an attempt for the attackers to steal more of your personal information and assets.

What they can do

The first crucial part of password security is out of the hands of the regular web user. The sites you visit and use must implement proper techniques and algorithms to keep you safe. Too many times now, sites have been caught using old and insufficiently secure methods to store user information. There isn't much the average user can do here, especially considering you often have no way of knowing what goes on behind the scenes. This makes a good case for keeping different unique passwords at each site you use. The industry best practice is to transform your password into a password hash. In it's hashed form, there should be no way for a hash to be mathematically "reversed" into its plaintext form. For your attacker to compromise your password, they will now have to try repeated "guesses" against your hash using the same algorithm, and hope they can get a match. Don't be fooled, however, this is much easier than it sounds.

What you can do

First you need to realize that whatever you do, it's only good until the bad guys catch on. These techniques may work for a while, but they won't last forever. That being said, they should be decent enough to use a a basis for any foreseeable future.

Do not use dictionary words

For a long time, people have used a combination of words from the dictionary and maybe some numbers thrown in to compose their passwords. Maybe something you like and your lucky number (Dragon13), or a person's name and a year (michelle1980), or if the rules are a bit stricter, capitalization may be required (SomePassword123). The problem with this is that the patterns are far too predictable. Anyone can grab a few dictionaries and run some rules against them to come up with these combinations. Don't think that simply making them leetspeak or toggle-cased will fix this either. dR4g0n13 is just as easily cracked using the default rules that come with the Hashcat password cracking software.

Dictionary chaining

A popular web comic one cited "correct horse battery staple" as being an excellent password. The problem here is that hackers are now chaining multiple dictionary words together more frequently, and in a way it actually makes passwords weaker. If we think about it for a moment, when you are only trying dictionary words, each word takes the role of a character position. If you only use 4 words in your password, it's akin to using a 4 character password for those attacks.

Do not use personal information

Personal information should be avoided at all costs. It reveals too much about you to an attacker, and could potentially be too easy to obtain as well. This makes for a very dangerous combination. How easy would it be for someone to look up your facebook page and get personal information about you? Your interests. Your family. your friends. Places you like to go. Shows you like to watch. The internet is a tremendous archive of easily accessible personal information. So don't use it.

Recommendation in the wild

Microsoft makes the case for the following categories to create a strong password:

Is at least eight characters long.

Does not contain your user name, real name, or company name.

Does not contain a complete word.

Is significantly different from previous passwords.

Contains characters from each of the following four categories:

Uppercase letters

Lowercase letters

Numbers

Symbols

These are pretty good suggestions, but these categories on their own don't cut it. Using their example, Hello2U! is a prime example of a poor password. It comes right out of the dictionary, capitalization is at the front, and a symbol/number combination (in this case the exclamation point) is on the end. Now, there are two things two realize here. First, Microsoft makes the point that you should use spaces in your passwords. I am completely for this. The more spaces, the better. It happens to be an EXTREMELY underused character in passwords. However, their recommendation is not so great: H3ll0 2 U!. Unfortunately, this is no better than the first example. The default install of hashcat can add spaces between words and perform "leetspeak" transformations on your text, which still leaves this vulnerable.

Your passwords should definitely be long, and I do like that Microsoft recommends a minimum length, but I personally believe 8 characters to be too small. That can be a little difficult for some users, but the longer the password, the better. I tend to use no less than 20 characters for my own, but if you are using at least 10 or 12, you will be better off (assuming the passwords are being stored decently).

Entropy is your friend

By its definition, entropy is a lack of order or predictability. The greater entropy you have in a password, the harder it is to crack it. In mathematical terms, the entropy of a password is given by H=Llog2N where L is the length of the password and N is the size of the alphabet. Most people won't actually have to know what this means, but you should remember this: Use as many different unique symbols as possible in your password.

If you have a 15 character password, use 15 different characters. Again, this is a hard one for a lot of people, but it really does help. Just remember, a is not the same as A, so it's really not as bad as you might think.

Keyboard walks

Another common practice these days is to use what are called keyboard walk. This is just outright wrong! There are entire dictionaries and rulesets tailored towards these types of passwords. Just don't use them.
* qwerasdf
* qewradsf
* zaqcdexsw123

There are tons of them I could list here, but hopefully you get the point. Keyboard walks = evil = easy = you don't want to use them.

So what makes a good password?

The idea here is to hold out as long as absolutely possible against your attacker's techniques. Nothing is 100% "hack-proof", but we can make them work pretty hard for it (and hope that many will simply give up rather than spend the effort). But keeping in mind the following should help:
* It should be long (the longer the better)
* It should never contain personal information
* It should contain as much entropy as possible
* Don't be afraid to use spaces
* Avoid dictionary combinations
* If you are going to use dictionary words, misspell them!
* Do not use "keyboard walks"

The right thing to do is to use a password manager. LastPass, 1Password, RoboForm... there is no shortage of them available. Just google password manager and you will get a ton of information.

In lieu of this, you will need to make your own passwords using these rules, like so:I c4N zwim [email protected] tHan S0CRAt35 bK+g
36 characters
30 different characters (not awful, I wonder if I could make that better)

It's fairly easy to remember, and although I did use some dictionary words I used a misspelling and some random garbage in there as well.

My recommendation

Use a password manager. Many are free, they are simple to use, and when a breach occurs at your favorite site, you can simply tell it to generate you a new good password. It's really easy.